Ransomware survival guide — Operationalizing ransomware protection

Ransomware protection is overwhelming. Every media outlet leads with the devastation and omnipresence of ransomware. Every vendor touts their ransomware “solution” as if such a complex problem could be solved by one product. Every CEO and board member demands a comprehensive ransomware data recovery strategy — within budget, of course. Where do you start?

Our Ransomware Survival Guide provides an in-depth look at how to survive and protect against a ransomware attack, including how to define the data protection component of your ransomware recovery strategy. We share the requirements, best practices, and how to measure and share your progress. We began with the foundations, before exploring advanced ransomware recovery services, and finally, in this article, we conclude with how to operationalize everything. 

Disclaimer: This guide is targeted toward ransomware data protection. There are many additional components to a ransomware strategy, for example, anti-phishing training, SIEM, vulnerability management, and more, that are part of a comprehensive approach to protect against ransomware. No one company, product, or guide covers everything.

This post covers the operationalization of ransomware protection. We will discuss how to optimize the risk/cost equation, build a zero-trust solution, and prepare to evolve with the threats.

Optimize the risk/cost equation

Ransomware is a devastating threat, but companies are not writing blank checks to address the problem. In enterprise data protection and security there is always a balance between cost and risk. 

First, optimize your infrastructure cost by asking three questions:

  1. How many backup copies do I need for each type of data? In some instances, you may just want one air-gapped backup copy. In others, you may want a local copy and a remote air-gapped copy.
  2. Where will I store the air-gapped copies — tape, additional backup appliance, or the cloud?
  3. How much network bandwidth will I need to make and update the air-gapped copies? 

Most organizations do not always want two backup copies because they cannot afford the additional storage and networking costs. Therefore, they adopt a model that, by default, creates network-efficient ransomware-protected backups while allowing them to selectively create local backups. 

Second, optimize the administrative cost. Once again, ask yourself three questions:

  1. How many people will I need to manage the air-gapped network — both the security and the bandwidth provisioning?
  2. How many people will I need to manage the air-gapped storage — tape, backup appliance, or the cloud?
  3. How many people will I need to ensure that the environment is secure — security patches, vendor best practices, immutable storage management, etc.?

As we will discuss later, these are not challenges you can simply “solve” and then ignore. The dynamic nature of the environment and the threats mean that you will require ongoing investment. Since most organizations do not want to add IT infrastructure administrators, you will need to slow down other projects to support ransomware protection. Therefore, most organizations adopt a solution with built-in ransomware protection.

Find a ransomware protection solution that minimizes infrastructure and management costs, so you can reduce risk within your budget. 


Zero-trust has become a security foundation. Don’t trust anybody or anything that is not authenticated and authorized, and then monitor whatever has passed through. Ransomware has taken over our customers’ production systems, emails, and even phone systems. When ransomware can compromise your entire environment, zero-trust is the only possible response. 

Ransomware targets your backups because cyber criminals know backups are your best defense against paying them. If the backups are on-premises, ransomware tries to encrypt, corrupt, or delete them. If you have offsite backups, the cyber criminals try to gain control of your backup system to delete them. 

To protect against ransomware deleting your backups, you need to meet, at a minimum, the following zero-trust requirements:

  1. Multi-factor authentication (MFA) — With MFA, the cyber criminals will need to compromise multiple components of your infrastructure, not just one.
  2. Four eyes — For any destructive operation, it should require the confirmation of at least two people. This can help protect against ransomware and internal bad actors. 
  3. Monitor unusual administrative activity — If an administrator is behaving outside of the norm, suspend activity until the activity can be explained.
  4. Delay deletes — In a world of deduplication, most deletion occurs only when garbage collection reaps freed blocks. Therefore, if there are excessive deletes, hold onto the blocks until the activity can be validated.
  5. No root access to an underlying system — Organizations often focus on securing the backup software management layer, but forget that everything runs on a Linux or Windows box that can, itself, be compromised. If the ransomware can compromise the underlying operating system, your environment is not zero-trust.

While most organizations operationalize two or three of these requirements, the remaining exposures leave them vulnerable to attacks. As ransomware attacks become more intelligent and more aggressive, any exposure will be exploited.


Ransomware attacks are constantly evolving. Whatever you build today will be obsolete because multiple groups are constantly releasing new ransomware packages. You need to be able to evolve with them.

Over the past few years, ransomware has evolved from:

  1. Consumer to enterprise
  2. Attacking production data to attacking backups AND production data
  3. Targeting endpoints and file servers to VMs and databases
  4. Encrypting data to exfiltrating it

A ransomware protection solution from just two years ago is helpless in the face of a modern attack.

You are facing an army of expert attackers, who spend every day trying to compromise your defenses. You can take on that fight yourself, or work with an army of expert defenders who spend every day trying to protect you. “Do it yourself” ransomware protection is not a viable option anymore. It is time to enlist a service.

Key takeaways

Ransomware protection has to be operationalized because it cannot be solved by a product, process, or person alone. Ransomware attacks are constantly evolving, so ransomware protection must evolve to meet them. The attackers try to gain control of the environment, so organizations must adopt zero-trust security across their entire backup environment — hardware, software, and the cloud. Perhaps most importantly, ransomware protection must be cost-optimized because, as we have seen, nobody will write a blank check for insurance. By addressing ransomware as an organizational and operational challenge, instead of a technology challenge, you can stop reacting to threats and take the fight to the cyber criminals. 

You need a ransomware recovery plan because cybercriminals are targeting everyone. Rapid recovery from a ransomware attack can mean the difference between your business surviving the attack or collapsing under lost revenue and customer confidence. You need to be ready. With the right protection, recovery, and operational solution — you can be.

Join us at the 2021 Cyber Resilience Summit

Mark October 13 on your calendar and join security leaders, industry visionaries, Druva experts, and peers as they discuss best practices, experiences, and learnings for cyber resilience. Register for free now.